On Jul 10, 10:01pm, manunetbsd.org (Emmanuel Dreyfus) wrote:
-- Subject: Re: sshd and read-only filesystem

| But it is a pain to be unable to use sshd with a read-only filesystem.

But having dev readonly does not really work, does it? What happens
when you try to write to /dev/null?

You can always do the mfs /dev trick that init does.

christos

| You may want to setup a firewall or sniffer with the filesystem mounted
| read-only and securelevel=2, or even with a read-only boot media (hard
| disk write protected using a jumper, CDROM, or why not just an EPROM if
| we are running on an embeded device?), so that if it is compromised you
| remain absolutely certain that rebooting the system will bring back a
| clean state. And it is usefull to be able to ssh to such a box, for
| instance for running tcpdump, collecting statistics, or simply for
| adding ipf rules.
|
| Would there be a problem if we allow using a pty that you do not own if
| it is owned by root? After all, the risk is that root snoops what you
| are doing on your pty, but root can always snoop any pty, regardless who
| is the owner, isn't it?
|
| --
| Emmanuel Dreyfus
| p99dreyfcriens.u-psud.fr
-- End of excerpt from Emmanuel Dreyfus

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]